Introduction:
The purpose of this article is to provide specific guidelines on how to perform a Proof of Concept (PoC) for Microsoft Defender for Cloud’s native Amazon Web Services (AWS) support. This article is part of a series of articles called The Microsoft Defender for Cloud PoC Series, each providing specific guidelines on how to perform a PoC for a specific Microsoft Defender for Cloud plan. For a more holistic approach and where you need to validate Microsoft Defender for Cloud’s Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP) capabilities all up, see the How to Effectively Perform an Microsoft Defender for Cloud PoC article.
Planning:
This section highlights important considerations and availability information that you should be aware of when planning for the PoC. Let’s start with outlining how to go about planning for a PoC of Microsoft Defender for Cloud native AWS support.
NOTE: At the time of writing this article, Microsoft Defender for Cloud native AWS support isn’t available for national clouds (such as Azure Government and Azure China 21Vianet). For most actual information, see Feature support in government and national clouds.
The first step begins with a clear understanding of the benefits that enabling the native AWS support in Microsoft Defender for Cloud brings to your organization. Microsoft Defender for Cloud’s native AWS support provides:
- Foundational CSPM for AWS resources
- Defender CSPM for AWS resources
- CWP support for Amazon EKS clusters
- CWP support for AWS EC2 instances
- CWP support for SQL servers running on AWS EC2, RDS Custom for SQL Server
The CSPM (both foundational capabilities and Defender CSPM) for AWS resources is completely agentless. At the time of writing this article, the following data types are supported in AWS. Foundational CSPM providing you with recommendations on how to best harden your AWS resources and remediate misconfigurations. Keep in mind that Defender for cloud offers foundational multicloud CSPM capabilities for free.
Defender CSPM provides you advanced posture management capabilities such as Attack path analysis, Cloud security explorer, advanced threat hunting, security governance capabilities, and also tools to assess your security compliance with a wide range of benchmarks, regulatory standards, and any custom security policies required in your organization, industry, or region.
The CWP support for AWS EC2 instances offers a wide set of capabilities, including automatic provisioning of pre-requisites on existing and new machines, vulnerability assessment, integrated license for Microsoft Defender for Endpoint (MDE), file integrity monitoring and more.
The CWP support for Amazon EKS clusters offers a wide set of capabilities including discovery of unprotected clusters, advanced threat detection for the control plane and workload level, Kubernetes data plane recommendations (through the Azure Policy extension) and more.
The CWP support for SQL servers running on AWS EC2, AWS RDS Custom for SQL Servers offers a wide set of capabilities, including advanced threat protection, vulnerability assessment scanning, and more.
Now that we’ve touched briefly on the benefits that Microsoft Defender for Cloud’s native AWS support provides, let’s move onto the next step. Next up is identifying which use cases the PoC should cover. A common use case might be that Management ports of EC2 instances should be protected with just-in-time network access control, or blocking public access on S3 buckets.
Preparation and Implementation:
This section highlights the requirements that you should be aware of before starting the PoC. For the complete list of pre-requirements, see the Prerequisites section.
There are three main steps when preparing to enable Microsoft Defender for Cloud’s native AWS support.
- Determining which capabilities are in the scope of the PoC
At the time of writing this article, Defender for Cloud supports the following AWS capabilities: (see Figure 1):
- Foundational CSPM for AWS resources
- Defender CSPM for AWS resources
- CWP support for Amazon EKS clusters (including agentless vulnerability assessment for Elastic Container Registry)
- CWP support for AWS EC2 instances
- CWP support for SQL servers running on AWS EC2, RDS Custom for SQL Server
- Selecting the AWS accounts on which you’d like to perform the PoC
For the purposes of this PoC, it’s important that you identify which AWS account(s) are going to be used to perform the PoC of Defender for Cloud’s native AWS support. You can choose a single AWS account or optionally, you can choose a management account, which will include each member account discovered under the provisioned Management account.
- Connecting AWS accounts Microsoft Defender for Cloud
You can connect AWS accounts to Microsoft Defender for Cloud with a few clicks in Azure and AWS. For detailed technical guidance see Microsoft Docs. For a video of step-by-step guidance on how this process looks like end-to-end in Azure and AWS, see this short video.
NOTE: Our service performs API calls to discover resources and refresh their state. If you’ve enabled a trail for read events in CloudTrail and are exporting data out of AWS (i.e. to an external SIEM), the increased volume of calls might also increase ingestion costs and we recommend filtering out the read-only calls from the Defender for (as stated here, under ”Important”).
Validation
Once you’ve created the connector, you can validate it by analyzing the data relevant to the use cases that your PoC covers.
When validating recommendations for AWS resource, you can consult reference list of AWS recommendations.
When validating attack paths and cloud security graph components, you can consult the following reference list.
When validating alerts for EC2 instances, you can consult reference list of alerts for machines.
When validating alerts for EKS clusters, you can consult reference list of alerts for containers – Kubernetes clusters.
When validating alerts for SQL servers running on AWS EC2 and AWS RDS Custom for SQL Server, you can consult reference list of alerts.
- You can also export Defender for Cloud security alerts to a SIEM (i.e. Azure Sentinel or 3rd party SIEM).
- Learn more about how to stream alerts to a SIEM, SOAR or ITSM.
- Learn more about how to investigate Microsoft Defender for Cloud alerts using Microsoft Sentinel.
Closing Considerations:
By the end of this PoC, you should be able to determine the value of the native AWS support in Microsoft Defender for Cloud and the importance of having it enabled for your AWS resources. Stay tuned for more Microsoft Defender for Cloud PoC Series here.
P.S. To stay up to date on helpful tips and new release, subscribe to our Microsoft Defender for Cloud Newsletter and join our Tech Community where you can be one of the first to hear the latest Defender for Cloud news, announcements and get your questions answered by Azure Security experts.
Reviewers:
Or Serok Jeppa, Senior Program Manager
